Downloading and selling movies? That's bad, m'kay? Using someone else's Netflix password? Oh, well, that's no big--wait. Actually, log in to someone else's Netflix account, even with their permission, and you just might be starring in your own reality version of Orange Is the New Black. At least, that's the potential raised by a recent ruling from the U.S. 9th Circuit Court of Appeals.
The Case Behind the Go-to-Prison Scare
The ruling that could change the game for Netflix--or really, any subscription service--involved David Nosal. When Nosal left his job at Korn/Ferry, the company revoked his rights to access a company database. A current Korn/Ferry employee then allowed other Korn/Ferry employees to use her password to access the database on Nosal's behalf. Because the employee who provided the password was an authorized user rather than the owner of the systems involved, the court convicted Nosal of conspiracy, computer fraud, and trade secret theft in 2013 under the Computer Fraud and Abuse Act (CFAA). The appeals court's ruling in early July upholds Nosal's original conviction.
A Confusing Precedent
Based on the court ruling, there's legally not much difference between Nosal's activity and the average Joe using someone else's password to binge on a few Mad Men episodes--if Netflix hasn't directly authorized you to access their servers (computers) via a membership, then technically, you're violating CFAA. That's worrisome in part because, as Judge Stephen Reinhard stated, the ruling "loses sight of the anti-hacking purpose of the CFAA" and could label everyday activity for Americans as criminal. It also raises other questions, such as how companies such as Netflix could enforce the law while staying within privacy boundaries.
Technology currently allows these types of businesses to limit streaming channels and determine accessibility by IP address or even geolocation, but even those tactics don't guarantee that the person entering the password is the individual the business has granted an account. The ruling also makes it unclear how businesses whose employees distribute passwords to give guest access to various services (for example, a librarian giving out a password for internet or database clearance on the library's computers) should proceed.
Why Companies Might Turn a Blind Eye
Of course, in order for the court's ruling to be a problem for you, the company you violate has to actually care about the violation and file charges. Netflix apparently doesn't give two snowflakes on an iceberg what you do with your password. In fact, Netflix wants you to share it. Company leaders see it as way to let customers do marketing--if people can taste the goodness of a membership through you, they'll likely get hooked on the service and eventually sign up for a subscription themselves. As Netflix CEO Reed Hastings stated in January, "As [kids] have an income, we see them separately subscribe. It really hasn't been a problem."
Avoiding Legal Hot Water
Comments from Netflix's guru seem to blow a lot of the wind out of the appeals court's ruling, giving the impression that there's no real reason to panic about sharing your password. Still, not all businesses will necessarily share Netflix's view. At the very least, review your provider's password policy and restriction and prosecution track record before trusting someone else with your characters and digits. Even better, keep in mind, it's not all that much effort to sign in and then hand someone your remote--or, as Netflix craves, for you to point out the subscribe button.